Typicality filtering of event indicators for information technology resources

ABSTRACT

A monitor for information technology resources improved by introducing typicality filters to analyze potential event indicators such as alerts. A typicality filter keeps a time-dependent history of the frequency of occurrence of an associated event, wherein time is segmented into monitoring periods. At the end of each monitoring period, a present count of occurrences of the event is determined, and compared with the numbers of occurrences of that event in a subset of monitoring periods read from the history. If the present count exceeds the number of occurrences of the event in a predetermined proportion of the subset of historical monitoring periods, a first action is invoked; otherwise, a second action is invoked.

FIELD OF THE INVENTION

The invention relates generally to the field of monitoring informationtechnology resources, and more particularly to the field of filteringevent indicators such as alerts.

BACKGROUND

As computer equipment has become increasingly complex, the difficulty inmonitoring this equipment to keep it functioning properly has becomeformidable. For example, a server attached to a network should bemonitored to ensure that the hardware and software do not malfunction,to ensure that adequate resources such as memory and disk space areavailable during peak use times, to protect the server from electronicvandalism such as hacking that arrives over the network, and so forth.

As shown in FIG. 1, a monitored device 100 such as a server may bewatched over by a monitor 110. The monitor 110 may sense trafficreceived and transmitted over a network 120 as well as sense conditionsboth internal and peripheral to the monitored device 100 such as memoryuse and disk occupancy, CPU utilization, power supply state, cabinettemperature, and numerous other measures of health.

To accomplish these purposes, the monitor 110 typically includes varioussensors 111. Here, the term “sensor” is not confined to simple hardwaredevices, nor is it necessary that the sensors reside literally withinthe monitor 110. Rather, the term is intended to encompass both softwareand hardware systems for sensing the state of parameters that haveimportance with regard to the proper operation of the monitored device110. Thus, in correspondence with the examples just mentioned, themonitor 110 may include a sensor that is an intrusion detection systemthat works in conjunction with protective equipment 130 such as afirewall, another for sensing memory use, yet another for sensing diskoccupancy, and so forth. Typically, each sensor determines the state ofassociated parameters, which state is then evaluated.

Evaluation may involve the use of persistence filters 112. In a simplecase, a persistence filter may compare the state determined by thecorresponding sensor with a preestablished threshold. If the stateviolates the threshold, the filter generates an event indicator such asan alert. For example, if the cabinet temperature exceeds ninety degreesCelsius, an alert may be generated. In other cases, the decision processmay be more complex as to whether an event indicator should begenerated, and if so, what the nature of the indicator should be. Forexample, a critical alert might be generated if the remaining disk spaceis determined to be less than 10 MB, a warning alert generated if theremaining disk space is between 10 MB and 25 MB, and an informationalalert generated if more than 25 MB remains.

The resulting event indicators may be sent to an event console 140,which may be operated by a human operator 150, or which may beautonomic. The event console 140 or the human operator 150 determineappropriate actions to invoke in response to the event indicators.

Although the configuration of FIG. 1 is now widely used, it suffers froma significant disadvantage: the operating point of the persistencefilters 112 must be set as a compromise that minimizes the generation ofboth false positives and false negatives. Here, a false positive occurswhen an event indicator is generated in response to an unimportantstate. Typically, the human operator 150 exercises independent judgmentand may decline to invoke a response to a false positive. On the otherhand, a false negative occurs when an event is not generated despite theexistence of a critical state that requires attention.

Because false negatives are generally more damaging than falsepositives, there is a tendency to configure the persistence filters toerr on the side of permissiveness, thus potentially subjecting the eventconsole 140 and the operator 150 to a flood of false positives. At somepoint, however, false positives begin to inflict their own damage bydisrupting the operation of the monitored device 100 with unneededprotective measures, or by desensitizing the operator 150 to the arrivalof critical alerts, i.e., true positives. Thus there is a need toimprove the performance of information technology resource monitors in away that minimizes the generation of false positives and falsenegatives, while preserving the capability of the monitor to unfailinglygenerate true positives when conditions warrant.

SUMMARY

The present invention improves the performance of a monitor forinformation technology resources by introducing typicality filters toanalyze events that have the potential to trigger the generation ofevent indicators such as alerts. In one embodiment of the invention, atypicality filter keeps a time-dependent history of the numbers ofoccurrences of an associated event, wherein time is segmented intomonitoring periods. At the end of each monitoring period, the number ofoccurrences of the associated event is determined, and compared with thenumber of occurrences of that event in a subset of the historicalmonitoring periods. If the number of occurrences of the event in thepresent monitoring period exceeds the number of occurrences of the eventin a predetermined proportion of the historical monitoring periods inthe specified subset, for example a majority of the members of thesubset, a first action is invoked; otherwise, a second action isinvoked.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is used for background discussion.

FIG. 2 shows a configuration that includes typicality filters accordingto the present invention.

FIGS. 3A and 3B show exemplary history tables suitable for use by atypicality filter.

FIG. 4 is a flowchart that shows operational aspects of a typicalityfilter.

FIG. 5 shows an exemplary typicality filter.

DETAILED DESCRIPTION

The present invention improves the performance of monitors forinformation technology resources, such as monitor 110 shown in FIG. 1,by introducing typicality filters to analyze events and act on theresults of the analysis. FIG. 2 shows a configuration that includestypicality filters according to the present invention. The configurationof FIG. 2 is essentially the same as the configuration of FIG. 1, wherelike numbers indicate like elements, excepting that FIG. 2 shows the useof typicality filters 200 rather than persistence filters 122, therebyimproving the performance of the monitor 110.

For a given kind of event, an associated typicality filter keeps atime-dependent history of the numbers of occurrences of the event. Thehistory encompasses a window of time. For example, in a preferredembodiment, the history spans five days. These days need not beconsecutive, however. For example, the five days may be the last fivebusiness days, or the last five Mondays, and so forth.

In the operation of a typicality filter, time is segmented intomonitoring periods. In a preferred embodiment, these periods are eachfive minutes long. Thus an exemplary history may encompass 288 suchperiods per day, for five days, giving a total of 1440 historicalmonitoring periods. For convenience, entries of the history may beorganized as shown in FIG. 3A, where a history table 300 is constructedas a matrix having N rows, where N is the number of monitoring periodsper day, and M columns, where M is the number of days in the history.Let the present day be day K. The columns then represent days K-1through K-M.

FIG. 3B shows a few elements of an exemplary history table 300′. In thisexample, the present day is October 10, and the columns correspond, fromleft to right in FIG. 3B, to October 9 through October 5. The exhibitedrows of the history table 300′ correspond, from top to bottom, to themonitoring periods beginning at 02:00, 02:05, 02:10, 02:15, 02:20, and02:25 Universal Time. The history tables 300 and 300′ are introducedhere as aids to explaining the invention rather than limitations of theinvention. The history may, of course, be stored and arranged in anyother convenient way as well as in the way illustrated by FIGS. 3A and3B.

In this illustrative embodiment, entries of the history table 300 arethe observed numbers of occurrences of the associated event during theindicated monitoring periods on the indicated days. As a runningexample, suppose that the event is the arrival of an inbound packetbearing a certain origination address thought to belong to a hacker.Suppose that during the monitoring period beginning at 02:10, one suchpacket was detected on October 5, 8, and 9, two such packets weredetected on October 7, and none on October 6. Putting these numbers inchronological order from most recent to least recent gives the row (1,1, 2, 0, 1), which corresponds to the 02:10 row of the history table300′ shown in FIG. 3B, which table is intended for use on October 10. Inthis way, history tables may be constructed and updated day by day.

FIG. 4 shows operational aspects of a typicality filter, with referenceto the configuration of FIG. 2 and the history table 300 of FIG. 3A.

At the end of the present monitoring period, the number of occurrencesof the associated event is determined (step 400). This is called herethe present count. The present count may correspond to the number ofoccurrences of the event over the course of the present monitoringperiod, or may aggregate counts of the event over a plurality ofmonitoring periods. The present count is then compared with the numbersof occurrences of that event in a subset of the monitoring periods fromthe history table 300 (steps 410, 420). In a preferred embodiment of theinvention, the subset consists of the same monitoring period on the fivemost recent days. Continuing with the running example introduced above,suppose that the present day is October 10, that the present monitoringperiod began at 02:10, and that the event in question occurred onceduring that monitoring period, giving a present count of one. Thisoccurrence of one is then compared with the entries (1, 1, 2, 0, 1) asdescribed above with respect to history table 300′, for the fiveprevious days.

The result of the comparison is determined by whether or not the presentcount exceeds a predetermined proportion of the counts of occurrences ofthe event observed in the subset of the monitoring periods. In apreferred embodiment, the predetermined proportion is a simple majority.Thus, in the running example, the count of one on October 10 in themonitoring period that began at 02:10 is compared by majority vote withthe counts for the monitoring periods begin at 02:10 on the previousfive days, i.e., (1, 1, 2, 0, 1).

If the present count exceeds the number of occurrences of the event forthe predetermined proportion of the monitoring periods of the historicalsubset, the count of events is judged to be atypical, and a first actionis invoked (step 430); otherwise, the count is judged to be typical, anda second action is invoked (step 440). Thus, in the running example, thecount of one occurrence is judged to be typical, whereas a hypotheticalcount of two occurrences of the event would be judged to be atypical,despite the historical observance of two occurrences of the event onOctober 7 during the monitoring period beginning at 02:10.

Again with reference to the running example, which concerns the arrivalof packets bearing an origination address thought to belong to a hacker,the first action (step 430), which corresponds to an atypical situation,may be to instruct the protective equipment 130 to block incomingpackets that bear the origination address in question, and the secondaction may be to log the arrival of the packet but take no furtheraction at that time. These actions, however, are only examples used toillustrate operational aspects of the invention; the inventionencompasses a wide variety of actions that would be known to thoseskilled in the art of network and resource management.

The invention also includes the typicality filter apparatus. Anexemplary typicality filter is shown in FIG. 5. The typicality filter500 comprises an event counter 510 for determining the present count ofthe number of occurrences of an event; a history table 300 as describedabove; and logic 520 for comparing the present count with numbers ofoccurrences of the event in a plurality of earlier monitoring periodsselected from the history table 300, invoking a first action if thepresent count exceeds a predetermined proportion of the numbers ofoccurrences of the event in the plurality of earlier monitoring periods,and invoking a second action if the present count does not exceed thepredetermined proportion of the numbers of occurrences of the event inthe plurality of earlier monitoring periods.

In a preferred embodiment, the typicality filter 500 may be implementedusing a memory and a programmable processor operating according tostored program control instructions, for example a microprocessor.

Thus the present invention improves the performance of the monitor 110by using a simple technique that takes into account the history ofevents experienced by the monitored device. The foregoing description ofthe invention is illustrative rather than limiting, however, and theinvention is limited only by the claims appended here.

1-4. (canceled)
 5. A program storage device readable by a machine,tangibly embodying a program of instructions executable by the machineto perform method steps suitable for filtering events in an informationtechnology resource monitor, said method steps comprising: determining apresent count of occurrences of an event for a present monitoringperiod; comparing the present count with numbers of occurrences of theevent in a plurality of earlier monitoring periods; invoking a firstaction if the present count exceeds a predetermined proportion of thenumbers of occurrences of the event in the plurality of earliermonitoring periods; and invoking a second action if the present countdoes not exceed the predetermined proportion of the numbers ofoccurrences of the event in the plurality of earlier monitoring periods;wherein the plurality of earlier monitoring periods all begin at thesame time on consecutive days previous to the present monitoring period.6. A typicality filter suitable for filtering events in an informationtechnology resource monitor, said filter comprising: an event counterfor determining a present count of occurrences of an event for a presentmonitoring period; a history table for storing numbers of occurrences ofthe event in earlier monitoring periods; and logic for comparing thepresent count with numbers of occurrences of the event in a plurality ofearlier monitoring periods selected from the history table, invoking afirst action if the present count exceeds a predetermined proportion ofthe numbers of occurrences of the event in the plurality of earliermonitoring periods, and invoking a second action if the present countdoes not exceed the predetermined proportion of the numbers ofoccurrences of the event in the plurality of earlier monitoring periods;wherein the plurality of earlier monitoring periods all begin at thesame time on consecutive days previous to the present monitoring period.7. The program storage device as recited in claim 5, wherein thepredetermined proportion is a majority.
 8. The program storage device asrecited in claim 5, wherein the second action includes logging thepresent count without taking further corrective action.
 9. Thetypicality filter as recited in claim 6, wherein the predeterminedproportion is a majority.
 10. The typicality filter as recited in claim6, wherein the second action includes logging the present count withouttaking further corrective action.